Tuesday, November 19, 2013

Cryptolocker Virus

Cryptolocker:  What to do to protect yourself and what to do if you get it.

What is Cryptolocker? Cryptolocker is a Trojan horse virus that surfaced late September 2013, a form of ransom ware that targets computers running Microsoft Windows software. Cryptolocker disguises itself as a legitimate attachment. When activated, it encrypts a variety of files with a mixture of RSA and AES encryption. When finished it prompts the user to pay a fee for the key to unlock the files being held ransom.

There is a screen that displays a timer with a countdown, the purpose of the timer is to create a sense of urgency to “pay” the fee to get the files back.  In November of 2013, the creators of the virus put up a website for users that have had the timer run out, and on the web page it has an option for those users to pay a ransom even if the timer has run out.

The ransom must be paid with Moneypak vouchers or Bitcoins. Once you send the payment, and its verified, the program will then decrypt the files that are encrypted.

What should you do if you are infected with Crytolocker? The first thing that you should do is disconnect the machine infected from the wireless or wired network. That way the virus won’t have a chance to infect other networked devices. Ideally, you should have your files backed up and accessible on a non networked device or drive.

Is it possible to decrypt the files by Cryptolocker? Unfortunately, at the time of this writing there is no known way to decrypt the files private key easily and quickly. The only method of restoring the files is from a backup copy or imaged copy of the files.

How do I find out if I have been infected with Cryptolocker? Make sure you have an Anti-virus suite or program installed and its definitions are up to date. Run a full scan. There are various tools available on the web that can help if you do not have an anti-virus installed, a quick Google search will point you in the right direction. There are also methods of manually removing the virus from the registry, which is not recommended for the non-computer savvy user.

How do I become infected  with the Cryptolocker virus? The infection is typically sent out to company emails, and disguised as a customer support related issues from another company, for example FED EX, USPS, UPS, DHS, etc. The file might be named 1056_FORM.exe or 1056_FORM.pdf.exe. Since Microsoft does not show file extensions by default, the files look like normal .PDF files. 

I have provided links below to pages that discusses in depth the Cryptolocker virus and methods of mitigation, and methods of removal:


No comments:

Post a Comment